Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package ghost, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (21)
CVE-2022-27139 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted…
CVE-2022-28397 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a…
CVE-2026-26980 — CVSS 9.4 (critical): Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads…
CVE-2024-23724 — CVSS 9.0 (critical): Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG…
CVE-2026-24778 — CVSS 8.8 (high): Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able…
CVE-2026-22594 — CVSS 8.1 (high): Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA…
CVE-2026-22595 — CVSS 8.1 (high): Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's…
CVE-2020-8134 — CVSS 8.1 (high): Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external network or otherwise…
CVE-2026-29053 — CVSS 7.6 (high): Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary…
CVE-2026-29784 — CVSS 7.5 (high): Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it…
CVE-2023-31133 — CVSS 7.5 (high): Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to…
CVE-2023-32235 — CVSS 7.5 (high): Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/…
CVE-2021-29484 — CVSS 6.8 (medium): Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining…
CVE-2026-22596 — CVSS 6.7 (medium): Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's…
CVE-2025-9862 — CVSS 6.5 (medium): Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from…
CVE-2024-43409 — CVSS 6.5 (medium): Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to…
CVE-2021-39192 — CVSS 6.5 (medium): Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows…
CVE-2024-23725 — CVSS 6.1 (medium): Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
CVE-2023-40028 — CVSS 4.9 (medium): Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users…
CVE-2022-41654 — CVSS 4.3 (medium): An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A…
CVE-2026-22597 — CVSS 2.7 (low): Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s…